Jump to content

Archived

This topic is now archived and is closed to further replies.

itman

Does Eset Detect S5Mark As UA,PUA, or Malware?

Recommended Posts

Bitdefender recently published a whitepaper on Zacinlo malware which can be downloaded from here: https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/ .

Besides deploying a rootkit in the form of a validily signed device driver, the signing cert. now thankfully revoked, one of  Zacinlo malware components was s5Mark, a fake VPN utility. Appears s5Mark has been around for some time. Using the hashes for s5Mark provided in the whitepaper, I noticed that Eset per VirusTotal lookup did not detect any of its components; even the installer. I don't want to make a big deal about the VT non-detection since we have discussed that might not be fully representative of Eset's detection capability. However, I would like to know if Eset is flagging s5Mark as at least a UA/PUA since it has been deployed in other malware incidents.

s5Mark Hashes

51960b69f4a7c96af835ec71057b86be945983ed

4ddbbcebc348eb9f6a79886d01e4ee270018f259

5ee4ebf7e423e3e143cd286b048c04372c606bca

00caa31ec14bd478e70583f6f41c6a685629d9ee

a3b68f42db720583aa9a8f704b172c944ad96627

867515f594b589ac311508e7b5dc369ece04624a

615f2e8e9a4bb7ba9d4eb06d11834060a741adc2

Share this post


Link to post
Share on other sites

I will also add that the "adware" version of s5Mark that surfaced last year employed a SmartService component used to disable AV processing. This version of SmartService; i.e. file hash -  1d4236b3c446c1ab86c577615cc52d4edc99bf5b4077cd93e6cd37b90d6991a0, was deployed through a separate installer which Eset detects.

It appears that this latest malware "weaponized' version of s5Mark no longer deploys a separate installer for SmartService but instead installs its components via the s5Mark installer.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×